Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

CERT_IE.h

00001 /*
00002  *
00003  ** @file CERT_IE.h
00004  ** Definition of the CERT "standard" information elements extension to
00005  ** the IETF standard RFC 5102 information elements
00006  **
00007  ** ------------------------------------------------------------------------
00008  ** Copyright (C) 2009-2012 Carnegie Mellon University. All Rights Reserved.
00009  ** ------------------------------------------------------------------------
00010  ** Authors: Brian Trammell, Chris Inacio, Emily Ecoff <ecoff@cert.org>
00011  ** <netsa-help@cert.org>
00012  ** ------------------------------------------------------------------------
00013  ** Use of the YAF system and related source code is subject to the terms
00014  ** of the following licenses:
00015  **
00016  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00017  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00018  **
00019  ** NO WARRANTY
00020  **
00021  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
00022  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
00023  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
00024  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
00025  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
00026  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
00027  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
00028  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
00029  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
00030  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
00031  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
00032  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
00033  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
00034  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
00035  ** DELIVERABLES UNDER THIS LICENSE.
00036  **
00037  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
00038  ** Mellon University, its trustees, officers, employees, and agents from
00039  ** all claims or demands made against them (and any related losses,
00040  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
00041  ** and/or its sub licensees' negligent use or willful misuse of or
00042  ** negligent conduct or willful misconduct regarding the Software,
00043  ** facilities, or other rights or assistance granted by Carnegie Mellon
00044  ** University under this License, including, but not limited to, any
00045  ** claims of product liability, personal injury, death, damage to
00046  ** property, or violation of any laws or regulations.
00047  **
00048  ** Carnegie Mellon University Software Engineering Institute authored
00049  ** documents are sponsored by the U.S. Department of Defense under
00050  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
00051  ** copyrights in all material produced under this contract. The U.S.
00052  ** Government retains a non-exclusive, royalty-free license to publish or
00053  ** reproduce these documents, or allow others to do so, for U.S.
00054  ** Government purposes only pursuant to the copyright license under the
00055  ** contract clause at 252.227.7013.
00056  **
00057  ** ------------------------------------------------------------------------
00058  */
00059 
00060 
00061 #ifndef CERT_IE_H_
00062 #define CERT_IE_H_
00063 
00064 
00071 static fbInfoElement_t yaf_info_elements[] = {
00072     FB_IE_INIT("initialTCPFlags", CERT_PEN, 14, 1, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00073     FB_IE_INIT("unionTCPFlags", CERT_PEN, 15, 1, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00074     FB_IE_INIT("payload", CERT_PEN, 18, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00075     FB_IE_INIT("reverseFlowDeltaMilliseconds", CERT_PEN, 21, 4, FB_IE_F_ENDIAN),
00076     FB_IE_INIT("silkAppLabel", CERT_PEN, 33, 2, FB_IE_F_ENDIAN),
00077     FB_IE_INIT("payloadEntropy", CERT_PEN, 35, 1, FB_IE_F_REVERSIBLE),
00078     FB_IE_INIT("osName", CERT_PEN, 36, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00079     FB_IE_INIT("osVersion", CERT_PEN, 37, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00080     FB_IE_INIT("firstPacketBanner", CERT_PEN, 38, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00081     FB_IE_INIT("secondPacketBanner", CERT_PEN, 39, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00082     FB_IE_INIT("flowAttributes", CERT_PEN, 40, 2, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00083     FB_IE_INIT("osFingerPrint", CERT_PEN, 107, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00084     FB_IE_INIT("expiredFragmentCount", CERT_PEN, 100, 4, FB_IE_F_ENDIAN),
00085     FB_IE_INIT("assembledFragmentCount", CERT_PEN, 101, 4, FB_IE_F_ENDIAN),
00086     FB_IE_INIT("meanFlowRate", CERT_PEN, 102, 4, FB_IE_F_ENDIAN),
00087     FB_IE_INIT("meanPacketRate", CERT_PEN, 103, 4, FB_IE_F_ENDIAN),
00088     FB_IE_INIT("flowTableFlushEventCount", CERT_PEN, 104, 4, FB_IE_F_ENDIAN),
00089     FB_IE_INIT("flowTablePeakCount", CERT_PEN, 105, 4, FB_IE_F_ENDIAN),
00090     FB_IE_NULL
00091 };
00092 
00093 
00094 #if YAF_ENABLE_HOOKS
00095 static fbInfoElement_t yaf_dpi_info_elements[] = {
00096     FB_IE_INIT("httpServerString", CERT_PEN, 110, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00097     FB_IE_INIT("httpUserAgent", CERT_PEN, 111, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00098     FB_IE_INIT("httpGet", CERT_PEN, 112, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00099     FB_IE_INIT("httpConnection", CERT_PEN, 113, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00100     FB_IE_INIT("httpVersion", CERT_PEN, 114, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00101     FB_IE_INIT("httpReferer", CERT_PEN, 115, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00102     FB_IE_INIT("httpLocation", CERT_PEN, 116, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00103     FB_IE_INIT("httpHost", CERT_PEN, 117, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00104     FB_IE_INIT("httpContentLength", CERT_PEN, 118, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00105     FB_IE_INIT("httpAge", CERT_PEN, 119, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00106     FB_IE_INIT("httpAccept", CERT_PEN, 120, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00107     FB_IE_INIT("httpAcceptLanguage", CERT_PEN, 121, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00108     FB_IE_INIT("httpContentType", CERT_PEN, 122, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00109     FB_IE_INIT("httpResponse", CERT_PEN, 123, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00110     FB_IE_INIT("pop3TextMessage", CERT_PEN, 124, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00111     FB_IE_INIT("ircTextMessage", CERT_PEN, 125, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00112     FB_IE_INIT("tftpFilename", CERT_PEN, 126, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00113     FB_IE_INIT("tftpMode", CERT_PEN, 127, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00114     FB_IE_INIT("slpVersion", CERT_PEN, 128, 1, FB_IE_F_ENDIAN),
00115     FB_IE_INIT("slpMessageType", CERT_PEN, 129, 1, FB_IE_F_ENDIAN),
00116     FB_IE_INIT("slpString", CERT_PEN, 130, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00117     FB_IE_INIT("ftpReturn", CERT_PEN, 131, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00118     FB_IE_INIT("ftpUser", CERT_PEN, 132, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00119     FB_IE_INIT("ftpPass", CERT_PEN,133, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00120     FB_IE_INIT("ftpType", CERT_PEN,134, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00121     FB_IE_INIT("ftpRespCode", CERT_PEN,135, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00122     FB_IE_INIT("imapCapability", CERT_PEN, 136, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00123     FB_IE_INIT("imapLogin", CERT_PEN, 137, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00124     FB_IE_INIT("imapStartTLS", CERT_PEN, 138, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00125     FB_IE_INIT("imapAuthenticate", CERT_PEN, 139, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00126     FB_IE_INIT("imapCommand", CERT_PEN, 140, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00127     FB_IE_INIT("imapExists", CERT_PEN, 141, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00128     FB_IE_INIT("imapRecent", CERT_PEN, 142, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00129     FB_IE_INIT("rtspURL", CERT_PEN, 143, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00130     FB_IE_INIT("rtspVersion", CERT_PEN, 144, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00131     FB_IE_INIT("rtspReturnCode", CERT_PEN, 145, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00132     FB_IE_INIT("rtspContentLength", CERT_PEN, 146, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00133     FB_IE_INIT("rtspCommand", CERT_PEN, 147, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00134     FB_IE_INIT("rtspContentType", CERT_PEN, 148, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00135     FB_IE_INIT("rtspTransport", CERT_PEN, 149, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00136     FB_IE_INIT("rtspCSeq", CERT_PEN, 150, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00137     FB_IE_INIT("rtspLocation", CERT_PEN, 151, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00138     FB_IE_INIT("rtspPacketsReceived", CERT_PEN, 152, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00139     FB_IE_INIT("rtspUserAgent", CERT_PEN, 153, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00140     FB_IE_INIT("rtspJitter", CERT_PEN, 154, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00141     FB_IE_INIT("sipInvite", CERT_PEN, 155, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00142     FB_IE_INIT("sipCommand", CERT_PEN, 156, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00143     FB_IE_INIT("sipVia", CERT_PEN, 157, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00144     FB_IE_INIT("sipMaxForwards", CERT_PEN, 158, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00145     FB_IE_INIT("sipAddress", CERT_PEN, 159, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00146     FB_IE_INIT("sipContentLength", CERT_PEN, 160, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00147     FB_IE_INIT("sipUserAgent", CERT_PEN, 161, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00148     FB_IE_INIT("smtpHello", CERT_PEN, 162, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00149     FB_IE_INIT("smtpFrom", CERT_PEN, 163, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00150     FB_IE_INIT("smtpTo", CERT_PEN, 164, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00151     FB_IE_INIT("smtpContentType", CERT_PEN, 165, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00152     FB_IE_INIT("smtpSubject", CERT_PEN, 166, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00153     FB_IE_INIT("smtpFilename", CERT_PEN, 167, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00154     FB_IE_INIT("smtpContentDisposition", CERT_PEN, 168, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00155     FB_IE_INIT("smtpResponse", CERT_PEN, 169, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00156     FB_IE_INIT("smtpEnhanced", CERT_PEN, 170, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00157     FB_IE_INIT("sshVersion", CERT_PEN, 171, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00158     FB_IE_INIT("nntpResponse", CERT_PEN, 172, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00159     FB_IE_INIT("nntpCommand", CERT_PEN, 173, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00160     FB_IE_INIT("dnsQueryResponse", CERT_PEN, 174, 1, FB_IE_F_ENDIAN),
00161     FB_IE_INIT("dnsQRType", CERT_PEN, 175, 2, FB_IE_F_ENDIAN),
00162     FB_IE_INIT("dnsAuthoritative", CERT_PEN, 176, 1, FB_IE_F_ENDIAN),
00163     FB_IE_INIT("dnsNXDomain", CERT_PEN, 177, 1, FB_IE_F_ENDIAN),
00164     FB_IE_INIT("dnsRRSection", CERT_PEN, 178, 1, FB_IE_F_ENDIAN),
00165     FB_IE_INIT("dnsQName", CERT_PEN, 179, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00166     FB_IE_INIT("dnsCName", CERT_PEN, 180, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00167     FB_IE_INIT("dnsMXPreference", CERT_PEN, 181, 2, FB_IE_F_ENDIAN),
00168     FB_IE_INIT("dnsMXExchange", CERT_PEN, 182, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00169     FB_IE_INIT("dnsNSDName", CERT_PEN, 183, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00170     FB_IE_INIT("dnsPTRDName", CERT_PEN, 184, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00171     FB_IE_INIT("sslCipher", CERT_PEN, 185, 4, FB_IE_F_ENDIAN),
00172     FB_IE_INIT("sslClientVersion", CERT_PEN, 186, 1, FB_IE_F_ENDIAN),
00173     FB_IE_INIT("sslServerCipher", CERT_PEN, 187, 4, FB_IE_F_ENDIAN),
00174     FB_IE_INIT("sslCompressionMethod", CERT_PEN, 188, 1, FB_IE_F_ENDIAN),
00175     FB_IE_INIT("sslCertVersion", CERT_PEN, 189, 1, FB_IE_F_ENDIAN),
00176     FB_IE_INIT("sslCertSignature", CERT_PEN, 190, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00177     FB_IE_INIT("sslCertIssuerCountryName", CERT_PEN, 191, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00178     FB_IE_INIT("sslCertIssuerOrgName", CERT_PEN, 192, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00179     FB_IE_INIT("sslCertIssuerOrgUnitName", CERT_PEN, 193, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00180     FB_IE_INIT("sslCertIssuerZipCode", CERT_PEN, 194, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00181     FB_IE_INIT("sslCertIssuerState", CERT_PEN, 195, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00182     FB_IE_INIT("sslCertIssuerCommonName", CERT_PEN, 196, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00183     FB_IE_INIT("sslCertIssuerLocalityName", CERT_PEN, 197, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00184     FB_IE_INIT("sslCertIssuerStreetAddress", CERT_PEN, 198, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00185     FB_IE_INIT("dnsTTL", CERT_PEN, 199, 4, FB_IE_F_ENDIAN),
00186     FB_IE_INIT("sslCertSubCountryName", CERT_PEN, 200, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00187     FB_IE_INIT("sslCertSubOrgName", CERT_PEN, 201, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00188     FB_IE_INIT("sslCertSubOrgUnitName", CERT_PEN, 202, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00189     FB_IE_INIT("sslCertSubZipCode", CERT_PEN, 203, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00190     FB_IE_INIT("sslCertSubState", CERT_PEN, 204, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00191     FB_IE_INIT("sslCertSubCommonName", CERT_PEN, 205, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00192     FB_IE_INIT("sslCertSubLocalityName", CERT_PEN, 206, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00193     FB_IE_INIT("sslCertSubStreetAddress", CERT_PEN, 207, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00194     FB_IE_INIT("dnsTXTData", CERT_PEN, 208, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00195     FB_IE_INIT("dnsSOASerial", CERT_PEN, 209, 4, FB_IE_F_ENDIAN),
00196     FB_IE_INIT("dnsSOARefresh", CERT_PEN, 210, 4, FB_IE_F_ENDIAN),
00197     FB_IE_INIT("dnsSOARetry", CERT_PEN, 211, 4, FB_IE_F_ENDIAN),
00198     FB_IE_INIT("dnsSOAExpire", CERT_PEN, 212, 4, FB_IE_F_ENDIAN),
00199     FB_IE_INIT("dnsSOAMinimum", CERT_PEN, 213, 4, FB_IE_F_ENDIAN),
00200     FB_IE_INIT("dnsSOAMName", CERT_PEN, 214, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00201     FB_IE_INIT("dnsSOARName", CERT_PEN, 215, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00202     FB_IE_INIT("dnsSRVPriority", CERT_PEN, 216, 2, FB_IE_F_ENDIAN),
00203     FB_IE_INIT("dnsSRVWeight", CERT_PEN, 217, 2, FB_IE_F_ENDIAN),
00204     FB_IE_INIT("dnsSRVPort", CERT_PEN, 218, 2, FB_IE_F_ENDIAN),
00205     FB_IE_INIT("dnsSRVTarget", CERT_PEN, 219, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00206     FB_IE_INIT("httpCookie", CERT_PEN, 220, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00207     FB_IE_INIT("httpSetCookie", CERT_PEN, 221, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00208     FB_IE_INIT("smtpSize", CERT_PEN, 222, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00209     FB_IE_INIT("mysqlUsername", CERT_PEN, 223, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00210     FB_IE_INIT("mysqlCommandCode", CERT_PEN, 224, 1, FB_IE_F_ENDIAN),
00211     FB_IE_INIT("mysqlCommandText", CERT_PEN, 225, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00212     FB_IE_INIT("dnsID", CERT_PEN, 226, 2, FB_IE_F_ENDIAN),
00213     FB_IE_NULL
00214 };
00215 #endif
00216 
00217 #endif
© 2006-2012 Carnegie Mellon University